Hosting Provided By

Re: IDS thoughts

From: Roger A. Grimes <rogerg(at)cox.net>
Date: Tue May 20 2003 - 14:51:38 EDT

Mike, enjoyed the thoughts below. It's also interesting to note, that Dr. Denning, who most consider the mother of Anomaly Detection (because of her 1985 paper on it) even concluded in her landmark paper that she didn't believe AD alone to be a viable, stand-alone ID model. Even back then she saw it as an adjunct model...which supports the whole hybrid, use-both-where-they-fit-best solutions.

Roger

*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg@cox.net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*****

Original Message ----- From: "Mike Frantzen" <frantzen@nfr.net> To: "Stefano Zanero" <stefano.zanero@ieee.org> Cc: <focus-ids@securityfocus.com> Sent: Tuesday, May 20, 2003 2:25 PM Subject: Re: IDS thoughts

> > You are joking, right ? There's a whole lot of research still open in
the
> > IDS field. Just to begin, you are apparently forgetting that there's a
whole
> > paradigm of ID, anomaly-based detection, which has just been forgotten
by
> > the mainstream development.
>
> I don't think anyone has forgotten anomaly-based detection. Most
keep up
> > to date their growing signature base, and face increasing performance
> > problems, probably some attention will be returned at that preliminary
> > choice of matching bad_things instead of good_ones.
>
> Keeping up isn't as hard as you would think. Even for pure pattern
everything
> > very tight, then open up what few ports you actually need. When it comes
to
> > privileges and authentication, we do the same thing, and we are quick to
> > point out the error when someone tries to filter out unwanted input,
instead
> > than specifying what is the expected one.
> > Oddly, when we talk about IDS and antivirus software, we blindly accept
that
> > there's only one way to do it: by describing what we do NOT want on our
> > system by the mean of signature. Well, this happens to be a BAD idea,
even
> > if until now it has given us some satisfactions.
>
> Ok. I do both firewall development (OpenBSD) and IDS development (NFR).

> INTRUSION PREVENTION: READY FOR PRIME TIME?
>
> IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
analysis
> - enabling a path to prevention.
>
> Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at:
> http://www.securityfocus.com/IntruVert-focus-ids2

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Wed May 21 15:26:11 2003

This message: [ Message body ]
Next message: Lance Spitzner: "Re: IDS thoughts"
Previous message: Bill Royds: "Re: IDS thoughts"
In reply to Mike Frantzen: "Re: IDS thoughts"
Next in thread: Raistlin: "Re: IDS thoughts"
Reply: Raistlin: "Re: IDS thoughts"
Reply: Roger A. Grimes: "RE: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT